Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

posture check (ZET) freezing process #770

Closed
NicFragale opened this issue Nov 19, 2024 · 2 comments · Fixed by #776
Closed

posture check (ZET) freezing process #770

NicFragale opened this issue Nov 19, 2024 · 2 comments · Fixed by #776

Comments

@NicFragale
Copy link
Contributor

ZET/Linux is not handling (at least) the OS posture check correctly.

Steps to reproduce:

  1. Create a new service for something such as "ipecho.net:80/TCP"
    image
  2. Create a new posture check that is to check the OS version of the identity to dial (ZET/Linux). Make the check for something greater than the actual version (EX 5.16.0 when 5.15.0 is the version).
    image
  3. Add the service and posture check to a policy (AppNet) along with the ZET/Linux identity that should be able to dial it .
  4. On the ZET/Linux machine used to dial the service, attempt to curl to the service.
  5. Witness that the curl command hangs and that ZET also hangs. ZET shows nothing as far as a crash or otherwise - output to log stops entirely. ZET is required to be restarted by force at this point to reset.

Noted that the posture information is sent to the controller as the following appears in logs:
image

And the following also appears:

DEBUG ziti-edge-tunnel:ipc_event.c:119 send_events_message() Events Message => {"Op":"identity","Action":"updated","Fingerprint":"bn","Id":{"Name":"BNNW-GEXP NetFoundry Fragale-Nic ZDE-03","Identifier":"/opt/openziti/etc/identities/bn.json","FingerPrint":"bn","Active":true,"Loaded":true,"Config":{"ztAPI":"https://1c471bbe-81f7-42d5-b82c-a547d597ed7d.production.netfoundry.io:443"},"ControllerVersion":"v1.2.1","IdFileStatus":false,"NeedsExtAuth":false,"MfaEnabled":false,"MfaNeeded":false,"Services":[{"Id":"1jiEULVMlle6p6i7jScZP4","Name":"service-test-posture-check","Protocols":["tcp","udp"],"Addresses":[{"IsHost":true,"HostName":"ipecho.net","Prefix":0}],"Ports":[{"High":80,"Low":80},{"High":443,"Low":443}],"OwnsIntercept":true,"PostureChecks":[{"IsPassing":false,"QueryType":"OS","Id":"3vCIIYMtKGAMEbspGW5yIf","Timeout":-1,"TimeoutRemaining":-1}],"IsAccessible":false,"Timeout":-1,"TimeoutRemaining":-1,"Permissions":{"Bind":false,"Dial":true}}],"Metrics":{"Up":0,"Down":0},"MfaMinTimeout":-1,"MfaMaxTimeout":-1,"MfaMinTimeoutRem":-1,"MfaMaxTimeoutRem":-1,"MinTimeoutRemInSvc

Noted that if the posture check is looking for a version <= the actual version of environment, checking reveals TRUE/PASSING and the curl command does complete.

The following is the environment:

ziti-edge-tunnel version && uname -r
v1.2.6
6.15.0-117-generic
@NicFragale
Copy link
Contributor Author

NicFragale commented Nov 19, 2024
edited
Loading

UPDATE: Also noted that this problem occurs with any posture check that fails.

UPDATE: Also noted that process checking looks like it fails if it cannot create a hash over a file that is not readable by the runtime user.
image
image

@scareything
Copy link
Member

scareything commented Nov 20, 2024
edited
Loading

I attempted to reproduce this with ziti cli commands:

% ziti edge create posture-check os kernel-version -o 'Linux:>6.12.0' -a lnx.gt.6.12.0
% ziti edge update service-policy udp8080-dial -p '@kernel-version'

ZET was killed by segv upon intercepting a connection for the associated service:

image 
connect_get_net_session_cb connect.c:483
ctrl_default_cb ziti_ctrl.c:234
ctrl_body_cb ziti_ctrl.c:495
http_message_cb http_req.c:381
http_req_process http_req.c:79
http_read_cb http.c:80
uv_link_propagate_read_cb uv_link_t.c:295
tls_read_cb tls_link.c:135
uv_link_propagate_read_cb uv_link_t.c:295
uv_link_source_wrap_read_cb uv_link_source_t.c:42
run_tunneler_loop ziti-edge-tunnel.c:1014
run_tunnel ziti-edge-tunnel.c:855
run ziti-edge-tunnel.c:1381
main ziti-edge-tunnel.c:2676

ps-segv.log

edit:

The segv only happens when the posture check is associated with the service when zet attempts to dial for the first time. Associating the posture check with the service after zet has dialed it results in what might look like a hang, but is actually just a failure to intercept/dial the service (at least in my case). The "hung" zet responded to a tunnel_status IPC command:

sudo /tmp/tmp.EFS3aqpeER/build/fedora-debug/programs/ziti-edge-tunnel/Debug/ziti-edge-tunnel tunnel_status
[sudo] password for scarey: 
{
  "Success":true,
  "Data":{
    "Active":false,
    "Duration":280361,
    "StartTime":"2024-11-20T20:30:26.559909Z",
    "Identities":[
      {
        "Name":"zet.fedora-41-vm",
        "Identifier":"\/media\/psf\/Home\/.ziti\/shawns-m1-mbp\/zet.fedora-41-vm.json",
        "FingerPrint":"\/media\/psf\/Home\/.ziti\/shawns-m1-mbp\/zet.fedora-41-vm",
        "Active":true,
        "Loaded":true,
        "Config":{
          "ztAPI":"https:\/\/shawns-m1-mbp.localdomain:1280\/edge\/client\/v1"
        },
        "ControllerVersion":"v0.0.0",
        "IdFileStatus":false,
        "NeedsExtAuth":false,
        "MfaEnabled":false,
        "MfaNeeded":false,
        "Services":[
          {
            "Id":"6FYxLro0n2QpXf4ny2NX4h",
            "Name":"udp8080",
            "Protocols":[
              "udp"
            ],
            "Addresses":[
              {
                "IsHost":true,
                "HostName":"udp8080.ziti",
                "Prefix":0
              }
            ],
            "Ports":[
              {
                "High":8080,
                "Low":8080
              }
            ],
            "OwnsIntercept":true,
            "PostureChecks":[
              {
                "IsPassing":false,
                "QueryType":"OS",
                "Id":"WJphxMqViEJZjvhyJfg4n",
                "Timeout":-1,
                "TimeoutRemaining":-1
              }
            ],
            "IsAccessible":false,
            "Timeout":-1,
            "TimeoutRemaining":-1,
            "Permissions":{
              "Bind":false,
              "Dial":true
            }
          }
        ],
        "Metrics":{
          "Up":0,
          "Down":0
        },
        "MfaMinTimeout":-1,
        "MfaMaxTimeout":-1,
        "MfaMinTimeoutRem":-1,
        "MfaMaxTimeoutRem":-1,
        "MinTimeoutRemInSvcEvent":-1,
        "MaxTimeoutRemInSvcEvent":-1,
        "ServiceUpdatedTime":"2024-11-20T20:31:17.072834Z",
        "Deleted":false,
        "Notified":false
      }
    ],
    "IpInfo":{
      "Ip":"100.64.1.1",
      "Subnet":"255.255.255.0",
      "MTU":65535,
      "DNS":"100.64.1.2"
    },
    "LogLevel":"trace",
    "ServiceVersion":{
      "Version":".",
      "BuildDate":"Wed-11\/20\/2024-06:27:49-EST"
    },
    "TunIpv4":"100.64.1.1",
    "TunIpv4Mask":24,
    "AddDns":false,
    "ApiPageSize":25
  },
  "Code":0
}

note PostureChecks -> IsPassing is false.

@ekoby ekoby mentioned this issue Nov 21, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix ziti_error parsing openziti/ziti-sdk-c
2 participants
@scareything @NicFragale